Malvertising, when ads are a trap
Table of Contents
Malvertising is a malicious technique that involves using fake ads on search engines and social networks to deploy malware
What are the products or services that people want to buy? What do people search for on Google, Bing or Yahoo? And, what ads can seduce users of social networks such as Instagram, TikTok or YouTube? These legitimate questions, which are asked by all companies wishing to market their products via social networks or search engine advertising (SEM), are also the starting point for cybercriminals carrying out malvertising attacks.
Like many other techniques, malvertising combines social engineering tactics with various types of malware. In this sense, its name already suggests how it works: malicious actors use advertising on social networks and search engines to get citizens and companies to download a malware-infected program or file.
What are the objectives of malicious actors? Obtaining information to commit other attacks, accessing multiple types of personal or professional accounts, hijacking private data to market it, financial fraud, draining cryptocurrency wallets, taking control of infected computers…
Malvertising is a technique with enormous potential for criminals because Facebook, Instagram, or Google ads have become a constant in our daily lives and a way of marketing products and services used by millions of companies. Therefore, it is feasible that a citizen can be deceived by a malicious actor if the ad and the page to which it leads offer a semblance of legitimacy.
In the following, we will explore the keys to malvertising and examine what companies and citizens can do to combat this malicious technique.
1. Exploiting people’s desires and precisely defining targets
Although it may seem trivial, a critical aspect of malvertising is the choice of the company and the service or product whose identity is to be impersonated. After all, if the advertised product does not generate interest among users, no one will click on the malicious ad.
For example, in early April 2024, several malvertising campaigns were unveiled on Facebook advertising the services of some of the world’s best-known generative AIs such as ChatGPT, DALL-E, SORA or Midjourney. How did they seduce their victims? By offering them the possibility to test new AI system updates in advance. However, behind these ads were hidden various info-stealers that allowed criminals to steal data from users’ browsers:
- Login credentials for various platforms and software.
- Cookies.
- Credit card or cryptocurrency wallet data.
In addition to resorting to products and services with high social demand, we should consider another advantage of malvertising. Malicious actors can decide which people will view their malicious ads. Why? Logically, ad creation tools such as Facebook Ads or Google Ads allow companies to segment the audience of their ads so that they are shown only to their target audiences, defining aspects such as gender, age, where they live, etc.
From the hostile actors’ point of view, this is a great advantage when it comes to targeting their potential victims and also allows them to reduce the money they have to spend on ads to get clicks.
2. Hijacking social network profiles and impersonating companies
The case mentioned above shows us another key to malvertising, especially regarding social media platforms: the profiles from which the fake ads are created.
In recent years, cyber intelligence professionals have detected a phenomenon that has been gaining prominence: the hacking of social network accounts. One of the purposes of the criminals who carry out this activity is to steal profiles of real people and companies to transform them and impersonate the identities of other companies. This is precisely what the criminals in the above case did.
So, they hijacked private Facebook profiles and impersonated AI systems companies by sharing photos and information to make the pages look legitimate and not raise suspicions among the social network or the users viewing the ads.
In another recent case, hostile actors launched a malvertising campaign through YouTube, offering NFTs that don’t exist and fake discounts on cryptocurrencies, to what end? To redirect users to a web of 1,700 WordPress sites infected with crypto drainers to get their hands on their crypto assets.
Therefore, a fundamental element of most phishing campaigns is creating fake but very realistic-looking web pages to which victims are directed from advertisements. These pages are essential in malvertising because they must generate sufficient trust in the victim to make him willing to enter personal data or download programs and files.
3. Different types of malware and increasingly complex attacks
So far, we have focused on the social engineering tactics used by criminals to allow them to find an attack vector. Once the deception is successful, malware comes into play.
The more sophisticated the malware used to infect a victim’s device, the more difficult it is to detect.
This is why the most advanced criminal groups continually design new malware and innovate their techniques, tactics and procedures (TTPs). For example, at the end of 2023, BlackCat, one of the most famous global cybercriminal groups, launched a malvertising campaign using Google Ads. To do so, it designed fake ads offering professional and business software. As a result, some company employees took the bait, downloaded malware and provided BlackCat with access to corporate systems.
As a result, BlackCat was able to infect multiple companies’ IT infrastructure using initial access malware that could hide and go undetected and then ransomware to steal their data and demand a ransom in exchange for its return.
4. Who can carry out a malvertising attack?
As we have just pointed out, malvertising attacks can reach a high level of sophistication, consume a large amount of financial resources and require months of work before the criminals can achieve their malicious goals and monetize the attacks.
Does this mean only criminal groups with more significant resources, knowledge, and experience can launch malvertising campaigns? Unfortunately, not. The expansion of Phishing-as-a-Service and Malware-as-a-Service models has resulted in thousands of small criminals being able to launch sophisticated attacks using social engineering and malware, including malvertising attacks.
In addition, the increasing sophistication of generative AIs can help malicious actors develop fraudulent pages, generate fake images, text and videos, or even build code.
5. How can malvertising attacks be prevented?
Let’s move from the attackers to the companies and citizens who are affected by malvertising:
- Companies that own social networks and search engines.
- Companies whose identity is impersonated to commit fraud.
- The direct victims of malvertising attacks may be citizens or professionals working in companies, and they are the real targets of criminals.
5.1. Social networks and search engines
Search engines and social networking platforms must strengthen their security protocols to prevent malicious actors from taking control of actual user pages and creating fraudulent ads. They must also have comprehensive cyber intelligence services to help prevent fraud on their platforms.
Threat Hunting services can also be crucial in uncovering and understanding the most innovative TTPs of criminal groups and taking a proactive approach in the fight against fraud.
Otherwise, they will see their credibility damaged to the point where users will no longer trust the ads, which would be a significant crisis in their business models, as ads are one of their primary sources of revenue.
5.2. Impersonated companies
Malvertising is also a big problem for companies whose identities are impersonated for criminal purposes. Not only does it damage their brand image, but it can also discourage users from clicking on the legitimate ads they offer on social networks and search engines. This is critical for companies that rely heavily on SEM and social media to capture leads and generate digital sales.
For this reason, organizations must have cyber intelligence experts who provide them with fraud prevention and anti-piracy services online. Thanks to these services, social engineering campaigns that impersonate companies’ identities and the dissemination of fake products and services can be detected.
5.3. Individuals and organizations affected by malvertising campaigns
Individual citizens can avoid becoming victims of malvertising by exercising caution and common sense. In addition, some indications allow individuals to be wary. For example, if a web page to which an advertisement redirects presents a strange URL that is not consistent with the web network of the advertising company.
Beyond this, companies must consider that their professionals can be victims of malvertising when designing their cybersecurity strategies. They also have at their disposal various cybersecurity services that can be key to preventing malvertising attacks and, should they occur, detecting the presence of malware and responding to malicious actions quickly and effectively:
- Social engineering tests expressly contemplate malvertising campaigns to evaluate how the organization responds and measure the level of training of its professionals to increase it and make them aware of it.
- Red Team services to test a company’s resilience to malvertising attacks, designing specific scenarios and helping to improve defensive capabilities against social engineering and malware deployment.
- Incident response services. Suppose a worker downloads malware and infects corporate computers and systems. In that case, it is critical to have an incident response team in place to identify the threat, contain the attack and expel the malicious actor before it causes severe damage.
In short, malvertising is a fraudulent practice that can cause significant damage to social media platforms, web search engines and thousands of companies and enterprises, regardless of their size. Therefore, it is essential to be aware of this technique that combines social engineering and malware to obtain confidential information and commit fraud and scams against companies and citizens.
This article is part of a series of articles about Social Engineering
- Tips to avoid becoming a victim of CEO fraud and other impersonation attempts
- Phishing as a Service: Kits to steal money and data from companies
- What is SEO poisoning?
- Malvertising, when ads are a trap
- Whaling attack, when criminals think they are Captain Ahab
- The QR code scam and quishing: Be careful what you scan!
- Fake job offers. When a job opportunity turns into a nightmare
- Clickbait scams: Curiosity swindled the cat